Secretive Startup With Pentagon Ties Has Plan to Stymie Hackers

A long-secretive cybersecurity startup founded by former Pentagon employees isn’t so spooky after all. It just wants to slow hackers down.

Shape Security is creating software that could, for instance, stop Russian hackers from converting the 40 million credit- and debit-card numbers stolen from Target over the holidays into cash before customers cancel their cards.

According to security experts, the company appears to be the first to try to block rapid-fire fraud programs by having a website constantly shift its code, making it hard to write automated hacking tools.

Shape, which is mum on its valuation, has raised $26 million in early-stage funding, the company says. It is based in Mountain View and is backed by Google Ventures, Kleiner Perkins Caufield & Byers and others, and counts Citigroup and StubHub as clients, according to officials at both companies.

Here is Shape’s strategy: Most hackers rely on an army of infected computers to run automated attacks against a victim. For instance, if they want to bring a website down, hackers will have their slave computers ping that site with useless traffic until it is overwhelmed – a move that is called a denial-of-service attack. Or if the hackers want to convert thousands of credit cards into retail gift cards or valuable goods that can be used for cash, they run an automated program to buy the valuable goods quickly. It’s a race against time until customers figure out their credit-card number has been stolen and get a new card.

Hackers can do this by looking at the code behind a website. They then write programs that fill in the blanks in Web forms. Shape tries to stop these attacks by having its software constantly scramble the code underneath a website, which looks unchanged on your Internet browser.

The tactic, mathematically, makes sense. Of course, if someone figures out Shape’s algorithm for randomly shifting computer code, hackers and their victims could be back to square one.

Correction: An earlier version of this article incorrectly referred to StubHub as SubHub